version: "3.8"

networks:
  proxy_infra:
    external: true

# More info at https://github.com/pi-hole/docker-pi-hole/ and https://docs.pi-hole.net/
services:
  pihole:
    image: pihole/pihole:2025.11.1
    ports:
      # LSC: I am not relying on Traefik to proxy DNS, in order to not loose
      #      name resolution when restarting the reverse proxy.
      - "53:53/tcp"
      - "53:53/udp"
      # LSC: No need for DHCP, already handeld.
      #      This is for BOOTP, taken over by DHCP.
      #- "67:67/udp"
      # Web UI handled through Traefik
      #- "9000:80/tcp"
    environment:
      # Set the appropriate timezone for your location from
      # https://en.wikipedia.org/wiki/List_of_tz_database_time_zones, e.g:
      TZ: "Europe/Zurich"
      FTLCONF_misc_etc_dnsmasq_d: 'true'
      # If using Docker's default `bridge` network setting the dns listening mode should be set to 'ALL'
      FTLCONF_dns_listeningMode: 'ALL'
      WEBPASSWORD_FILE: "/webpassword"
    # Volumes store your data between container upgrades
    volumes:
      - "./conf/webpassword:/webpassword:ro"
      # For persisting Pi-hole's databases and common configuration file
      - "./etc-pihole/:/etc/pihole/:rw"
      # Uncomment the below if you have custom dnsmasq config files that you want to persist. Not needed for most starting fresh with Pi-hole v6. If you're upgrading from v5 you and have used this directory before, you should keep it enabled for the first v6 container start to allow for a complete migration. It can be removed afterwards. Needs environment variable FTLCONF_misc_etc_dnsmasq_d: 'true'
      #- "./etc-dnsmasq.d/:/etc/dnsmasq.d/:rw"
      - "./etc-pihole-updatelists:/etc/pihole-updatelists/:rw"
    #cap_add:
    #  # See https://github.com/pi-hole/docker-pi-hole#note-on-capabilities
    #  # Required if you are using Pi-hole as your DHCP server, else not needed
    #  - NET_ADMIN
    #  # Required if you are using Pi-hole as your NTP client to be able to set the host's system time
    #  - SYS_TIME
    #  # Optional, if Pi-hole should get some more processing time
    #  - SYS_NICE
    restart: always
    networks:
      - proxy_infra
      - default
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=proxy_infra"
      - "traefik.http.services.pi-hole.loadbalancer.server.port=80"

      - "traefik.http.middlewares.pi-hole-redirect.redirectregex.permanent=true"
      - "traefik.http.middlewares.pi-hole-redirect.redirectregex.regex=https://${FQDN}/?$$"
      - "traefik.http.middlewares.pi-hole-redirect.redirectregex.replacement=https://${FQDN}/admin"
      # Priority goes from first in the list to last.
      - "traefik.http.middlewares.pi-hole.chain.middlewares=headers-base@file,headers-sts@file,headers-policy-self@file"

      # Pi-Hole
      - "traefik.http.routers.pi-hole.service=pi-hole"
      - "traefik.http.routers.pi-hole.entrypoints=web-secure"
      # Do not filter on prefix, otherwise the redirect does not work...
      - "traefik.http.routers.pi-hole.rule=Host(`${FQDN}`)"
      - "traefik.http.routers.pi-hole.tls=true"
      # This service is allowed only inside the LAN, but a Let's Encrypt
      # certificate is now required for access from Safari 15
      - "traefik.http.routers.pi-hole.tls.certresolver=letsencrypt"
      - "traefik.http.routers.pi-hole.middlewares=pi-hole,net-home@file,auth-traefik@file,pi-hole-redirect"